Skip to content
PortsDB

Port reference

Port 5432 (TCP) – PostgreSQL

Default listener for PostgreSQL relational database connections.

tcpRegisteredCommonly attacked

Default state

PostgreSQL listens on localhost by default; listen_addresses must be changed to expose it. Many deployments set it to 0.0.0.0 and loosen pg_hba.conf, exposing 5432 across the network.

Common attacks

  • Credential brute force and password spraying against postgres and app roles
  • Abuse of overly permissive pg_hba.conf trust rules
  • Privilege abuse, including command execution via COPY PROGRAM as superuser
  • SQL injection pivoting into the database engine

Hardening

  • Keep listen_addresses on localhost or a private interface; never expose 5432 to the internet
  • Tighten pg_hba.conf — require scram-sha-256, avoid trust auth
  • Enforce strong passwords and least-privilege roles; restrict superuser use
  • Require TLS for client connections and segment with firewalls
  • Keep PostgreSQL patched and monitor failed logins

nmap snippet

nmap -p5432 --script pgsql-brute <target>

Replace <target> with the host or range you're authorized to scan.

What runs on port 5432?

Port 5432 is the default TCP listener for PostgreSQL, a powerful open-source relational database. Application servers and admin tools such as psql and pgAdmin connect over 5432 to run SQL against databases that back web apps, data platforms, and analytics workloads.

Why it matters for security

PostgreSQL often holds critical and regulated data, so an exposed 5432 is a valuable target. Access is gated by pg_hba.conf, and a misconfigured rule — especially trust auth on a public listen_addresses — can let anyone connect without a password. A superuser connection is effectively full control of the database and, via certain features, the host.

How it's attacked

Attackers scan for open 5432, then brute-force credentials for the postgres superuser and application roles. Weak pg_hba.conf rules are abused to bypass authentication. With superuser rights, an attacker can run COPY ... PROGRAM to execute OS commands, and SQL injection in apps can pivot directly into the engine.

Hardening checklist

Keep listen_addresses on localhost or a private interface and 5432 off the public internet, behind a firewall or VPN. Tighten pg_hba.conf to require scram-sha-256 and reject trust auth, enforce strong passwords and least-privilege roles, and limit superuser use. Require TLS and patch regularly. Use the nmap snippet above to test for weak credentials on hosts you are authorized to assess.

Related ports

Port 1433Port 1521Port 3306Port 27017

Frequently asked questions

Is it safe to expose port 5432 to the internet?
No. Internet-facing PostgreSQL is scanned and brute-forced. Keep listen_addresses private, tighten pg_hba.conf, require TLS, and connect over a VPN or SSH tunnel.
What makes pg_hba.conf risky?
It controls who can authenticate and how. A 'trust' rule on a public address lets anyone connect with no password. Use scram-sha-256 and restrict by source IP.